help with swatch rc script

Michael Scheidell scheidell at freebsd.org
Mon Jan 23 20:51:54 UTC 2012


It seems that every time there is a solar flare, swatch status stops 
working.

This means that service swatch stop won't work because it doesn't know 
its running, restart, nothing.  I tracked it down, and it is the size of 
the swatch_x_flags line that causes the problem.. too small, and it 
won't work!


example:

simple swatch in rc:

swatch_enable="YES"
swatch_rules="1"
swatch_1_flags="--config-file=/usr/local/etc/swatch-hackertrap.conf 
--tail-file=/var/log/eventlog --tail-args=-F --daemon 
--pid-file=/var/run/swatch_1.pid"
swatch_1_pidfile="/var/run/swatch_1.pid"
swatch_1_chdir="/var/tmp"

(with/without swatch_1_pidfile, with/without swatch_w_chdir..)

does't matter.

  service swatch status
swatch is not running.
atrium-ru.hackertrap.net# ps -auxww | grep swatch
root    22182  0.0  0.7 28080 13812  ??  Is   12:26AM   0:00.00 
/usr/local/bin/swatch 
--config-file=/usr/local/etc/swatch-hackertrap.conf 
--tail-file=/var/log/eventlog --tail-args=-F --daemon 
--pid-file=/var/run/swatch_1.pid (perl)
root    22252  0.0  0.1  7884  1380  p1  S+   12:31AM   0:00.00 grep swatch
atrium-ru.hackertrap.net# cat /var/run/swatch_1.pid
22182


now, I can't blame the last person who touched files/swatch.in, because 
it was a previous pr I opened that added the procname to it.
<http://www.freebsd.org/cgi/query-pr.cgi?pr=148893>

(before.. something happened..) it didn't work _without_ procname in rc 
script.

The rc script itself is a little messy, and before I go to the 
maintainer with a pr, I would like to get it to work in all environments.
(again, it ~seems~ to only work now if you have a very long swatch_flags 
line:

doesn't matter if I use
swatch_x_flags='ljljljlkjlk "ljljlkj " lk lj '

or " \" \" (doesn't matter if I use single or double quotes)

multi line or single line.

swatch_enable="YES"
swatch_rules="1"
swatch_1_flags='--config-file=/usr/local/etc/swatch-hackertrap.conf 
--tail-file="/var/log/eventlog /var/log/messages" \
--tail-args=-Fn0 --daemon --pid-file=/var/run/swatch_1.pid'


  ps -auxww | grep swatch
root    22383  0.0  0.7 28080 13816  ??  Is   12:39AM   0:00.00 
/usr/local/bin/swatch 
--config-file=/usr/local/etc/swatch-hackertrap.conf 
--tail-file=/var/log/eventlog /var/log/messages --tail-args=-Fn0 
--daemon --pid-file=/var/run/swatch_1.pid (perl)

its the length of the --tail-file, or the total length of the command line:

THIS WORKS:

swatch_enable="YES"
swatch_rules="1"
swatch_1_flags='--config-file=/usr/local/etc/swatch-hackertrap.conf \
--tail-file="/var/log/eventlog /var/log/messages /var/log/test1 
/var/log/test2 /var/log/test3 
/var/log/test4_but_add_a_humungious_long_file_to_put_it_past_some_buffer_and_it_finally_works" 
\
--tail-args=-Fn0 --daemon --pid-file=/var/run/swatch_1.pid'

service swatch status
swatch is running as pid 22595.
atrium-ru.hackertrap.net# ps -auxww | grep swatch
root    22595  0.0  0.7 28080 13812  ??  Is   12:45AM   0:00.00 
/usr/local/bin/perl //.swatch_script.22591
root    22620  0.0  0.1  7884  1380  p1  S+   12:47AM   0:00.00 grep swatch

0:00.00 /usr/local/bin/perl //.swatch_script.22591

-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
 >*| *SECNAP Network Security Corporation

    * Best Mobile Solutions Product of 2011
    * Best Intrusion Prevention Product
    * Hot Company Finalist 2011
    * Best Email Security Product
    * Certified SNORT Integrator



More information about the freebsd-ports mailing list